Metadata: Upgrade Exiftool to fix security issue

[testanull]

CVE-2021-22204 is a critical RCE in ExifTool (ref: https://devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html), It can be easily triggered just by parsing an image (ex: exftool foo.jpg)

I found Photoprism is using ExifTool while importing image after uploading, and also succeeded in confirm the vulnerability in Photoprism demo page

Please do something to fix this vuln,

[lastzero]

Already working on it: https://ubuntu.com/security/CVE-2021-22204

[lastzero]

You can help by telling the Ubuntu team how important that is to you.

[lastzero]

In the meantime, you may disable Exiftool in the Advanced Settings and restart PhotoPrism:

https://demo.photoprism.org/settings/advanced

[lastzero]

Our latest Docker image comes with the (hopefully) fixed version while everyone's waiting for an official update via apt:

apt show libimage-exiftool-perl 
Package: libimage-exiftool-perl
Version: 12.16+dfsg-2
Status: install ok installed
Priority: optional
Section: perl

Give us a few minutes to build a new release and upload the images.

[lastzero]

https://drone.photoprism.app/photoprism/photoprism/1354

[lastzero]

Note that allowing public uploads (like we do on our demo) is a generally bad idea in terms of security as we have a very long list of supported formats. Safe to assume some libs needed to read those contain currently unknown security issues. Besides exploits, uploads may also contain copyrighted material or pornography. For the same reason, you shouldn't open email attachments from strangers and don't use a virus-scanner that does so automatically: Exploiting its parsers is a common attack vector. In a later release, we may try to wrap external tools for added security (help welcome).

[lastzero]

Released: https://github.com/photoprism/photoprism/releases/tag/210519-24b5c7e6

@testanull Can you test again, please? Our demo is already updated. Happens automatically.

[testanull]

Released: https://github.com/photoprism/photoprism/releases/tag/210519-24b5c7e6

@testanull Can you test again, please? Our demo is already updated. Happens automatically.

I'm having trouble while trying to docker-compose up

No photoprism process is found:

[lastzero]

That loos like our development image?

[lastzero]

Added a security policy to our Developer Guide:

https://docs.photoprism.org/developer-guide/security/policy/

[graciousgrey]

@testanull We just switched from our manual fix to the official fix from ubuntu. Could you test it again?

[testanull]

Sorry, I've already removed the PoC and the lab

[lastzero]

Maybe someone else can test it for us? Would be super helpful.